A Tiered Framework For Cybersecurity Defenders

Global cyber security firm Mandiant is helping cyber defenders maintain flexibility and streamline cyber defense efforts during this time of uncertainty surrounding Russian cyber aggression against Ukraine. While supporting critical infrastructure owners and operators prepare against possible Russian cyber attacks, we realized it would be beneficial to guide organizations in assessing their cyber threat levels, pivoting between them, and taking appropriate actions as needed.

As a result, we developed a framework to help defenders help themselves – first, by giving them a guide to assess their threat level, and then second, to take specific actions to defend themselves based on what they are observing. Most importantly, our framework shows organizations how to move from one threat level to another, thereby creating flexibility to escalate, de-escalate, and maintain a steady state of active cyber defense. This tiered framework works by compounding each tier; as the threat level increases, the defender should take recommendations from the previous tier(s) and build on top of their current level.

The Department of Homeland Security's Cybersecurity Infrastructure Security Agency (CISA) is tasked with coordinating the Nation's cyber security efforts and has done an exemplary job pushing out critical guidance and alerts – at times jointly with other agencies like the National Security Agency and Federal Bureau of Investigation – to help entities protect themselves against cyber attacks.

If we have learned anything in the past few months since the start of the war in Ukraine, we see that cyber defense is a marathon – not a sprint. At this time, no one can predict when cyber attacks will occur or when we should stop expecting them to happen. A heightened level of alert is not sustainable for cyber defenders over the long term. We understand it can be challenging to read, analyze and prioritize relevant information, especially if an organization's cyber defenders are also under stress from an imminent attack.

Our "Tiered Framework for Cyber Threat Levels" can be referenced and used alongside CISA's "Shields Up" program, similar to how a quick start guide compliments a comprehensive manual. The intent of this approach is to help defenders quickly react to events, such as the ongoing war in Ukraine, an upcoming election, the discovery of a new zero-day exploit, or an expansive vulnerability like Log4j. The goal is to help entities secure themselves when a threat goes from "bad" to "worse." These valuable resources can help organizations adequately prepare themselves before a cyber attack begins or respond methodically if already under attack in order to minimize impact.

Andrew Del Rosario is Director of DoD and Military Programs at Mandiant Consulting.